I. DNS basics [DNS System (server) Working Principle and attack protection methodology]
DNS: Domain Name System, the Domain Name resolution server. Its role on the Internet is to convert the Domain Name into an IP address that can be recognized by the network.
BIND: Berkeley Internet Name Domain, which is the most widely used DNS protocol in unix.
For example, blog.sina.com.cn, blog is a level-4 domain name, sina is a level-3 domain name, com is a level-2 domain name, cn is a top-level domain name. A complete domain name can contain a maximum of 256 characters and a maximum of 63 characters.
DNS uses in. named process, If/etc/named. conf exists. The in. named process and read/etc/named. conf file, in. named is actually a link of/usr/sbin/named.
The lookup from name to address is called forward ing, and The lookup FROM address to name is called reverse ing.
Ii. DNS Server installation and configuration
The following operations are performed by the root user on the Solaris platform. No matter which release version of unix you use, the DNS settings do not have much to do with unix.
1. Bind is installed. The releasegz is bind-9.4.2.tar.gz.
For ease of use in other operating systems, we still install it in the source code package. First from the ISC home page (http://www.isc.org/index.pl? /Sw/bind/index. php) software package.
Decompress:
# Pwd
/Opt/wacos/encle
# Gunzip bind-9.4.2.tar.gz
# Tar-xvf bind-9.4.2.tar
Configure compilation and installation. BIND is normally installed in the/usr/local directory, but you can adjust the -- prefix parameter settings. In this example, IPv6 is not used, the Startup file will be installed in/usr/local/sbin:
# Cd bind-9.4.2
#./Configure -- prefix =/usr/local -- sysconfdir =/etc -- disable-ipv6
# Make
# Make install
The installation takes a long time. After installation, check the current version:
#/Usr/local/sbin/named-v
The Bind has been installed.
2. Generate the RNDC configuration file/etc/rndc. conf (used to control the DNS server, which is available in Bind9 ).
Bind9 specifies that if you want to use rndc to control dns, the authentication file rndc. conf and password lock must be completed. The content of the rndc. conf file. You can use the rndc-confgen command to generate the required content.
#/Usr/local/sbin/rndc-confgen>/etc/rndc. conf
If there is no random generator on the machine, the system should allow you to enter irrelevant letters to replace/dev/random.
------------------------------------------
You must use the keyboard to create entropy, since your system is lacking
/Dev/random (or equivalent)
Start typing:
...............................
...........................
...........................
...........................
...........................
...........................
...........................
...........................
Stop typing.
# Start of rndc. conf
...
# End of named. conf
------------------------------------------
The generated rndc. conf is roughly as follows:
# Cat/etc/rndc. conf
------------------------------------------
# Start of rndc. conf
Key "rndc-key "{
Algorithm hmac-md5;
Secret "ZdAFUwS0QMr95427P7Xq + w = ";
};
Options {
Default-key "rndc-key ";
Default-server 127.0.0.1;
Default-port 953;
};
# End of rndc. conf
# Use with the following in named. conf, adjusting the allow list as needed:
# Key "rndc-key "{
# Algorithm hmac-md5;
# Secret "ZdAFUwS0QMr95427P7Xq + w = ";
#};
#
# Controls {
# Inet 127.0.0.1 port 953
# Allow {127.0.0.1;} keys {"rndc-key ";};
#};
# End of named. conf
#
------------------------------------------
Configure/etc/named later. in the conf file, set "# Use with the following in named. conf, adjusting the allow list as needed: "all copies in this line to named. conf file.
3. Configure the DNS server's boot file/etc/named. conf
Content contained in the named. conf file:
Specifies the file location that contains the root server;
Establish primary servers, secondary servers, and cache-only servers;
Indicates the authoritative region of the server;
Specifies the location of the data file on the server;
Apply security options for specific regions;
Define log specifications;
You can apply options for a group of regions.
Named. conf writing specifications:
The statement ends;
Each statement can also include a {} statement;
Multi-line comment is/**/; single-line comment # Or // start.
Statement can be defined:
Acl: defines a list of IP address matching names.
Options: Controls Global server configuration options
Zone: defines a region.
First create the region file directory/etc/named:
# Mkdir/etc/named
Example of configuring named. conf:
# Vi/etc/named. conf
------------------------------------------
Options {
// Define the region file directory, indicating that the files in the following configuration are in this directory by default
Directory "/etc/named ";
};
// Specify the configuration file/etc/named. root for the root DNS server. This file can be downloaded from the network.
Zone "." in {
Type hint;
File "named. root ";
};
// Specify the forward resolution configuration file/etc/named/encle. zone
Zone "encle.com" in {
Type master;
File "encle. zone ";
};
// Specify the reverse resolution configuration file/etc/named/encle. rzone, "111.19.172." which depends on the network IP address allocation, which is the first three paragraphs of the reverse IP address.
Zone "111.19.172.in-addr. arpa" in {
Type master;
File "encle. rzone ";
};
// Specify the configuration file/etc/named. local
Zone "0.0.127.in-addr. arpa" in {
Type master;
File "named. local ";
};
// Copy the Key and Controls segment of the/etc/rndc. conf generated above to this
Key "rndc-key "{
Algorithm hmac-md5;
Secret "ZdAFUwS0QMr95427P7Xq + w = ";
};
Controls {
Inet 127.0.0.1 port 953
Allow {127.0.0.1;} keys {"rndc-key ";};
};
------------------------------------------
4. Configure the region File
Most of the entries in the zone data file are called DNS resource records ).
The order of resource records in data files is as follows:
SOA record
Indicates the region's authority
NS records
Name Server in the region
Other records
Data about hosts in the Zone
A name-to-address ing
PTR address-to-name ing
CNAME alias
Note:
End at the end of the row starting with a semicolon.
Default TTL value of the Set area:
The name server provides this TTL value in the query response, allowing other servers to store data in the cache at the time specified by TTL.
Allowed unit: w = week d = day h = hour m = minute s = Second
Resource record format:
[Name] [ttl] [class] [type] [data]
Name: Domain name
Ttl: the cache survival time, usually 86400 (1 day), which can also be expressed as 1d
Class: network type. Generally, IN indicates the internet.
Type: Resource Record type of the domain name
Data: data, such as host name, ip address, and email address
Resource Record types:
; Starts with a comment
$ TTL: Time To Live, cache survival Time
SOA: Start of Authority, indicating the main city server, contact information, etc.
NS: Name Server, Name Server
A: Address, specifying the IP Address of A host
PTR: Pointer, specifying the host name of an IP address for reverse resolution (that is, resolving the IP address to the host name)
CNAME: Canonical Name, host alias (for example, www can replace one host Name)
AAAA: quad-A, specifying the IPv6 address of A host
A)/etc/named. root
This file is used when you are connected to internet.
Get the latest version of the file from the http://www.internic.net/zones/named.root.
C)/etc/named/encle. zone
# Vi/etc/named/encle. zone
------------------------------------------
; This file resolves hostnames to IP addresses in the encle.com. domain.
$ ORIGIN encle.com.
$ TTL 1d
Encle.com. in soa dns.encle.com. wangnc.gmail.com .(
20080201; serial number
1 h; refresh
15 m; retry
1 w; expire
1d); ttl
Encle.com. in ns dns.encle.com.
Dns in a 172.19.111.37
Www in a 172.19.111.40
Test in a 172.19.111.42
------------------------------------------
C)/etc/named/encle. rzone
# Vi/etc/named/encle. rzone
------------------------------------------
; This file resolves IP addresses to hostnames in the encle.com. domain.
$ ORIGIN 1.168.192.IN-ADDR. ARPA.
$ TTL 1d
111.19.172.IN-ADDR. ARPA. in soa dns.encle.com. wangnc.gmail.com .(
20080201; serial number
3 h; refresh
1 h; retry
1 w; expire
1d); ttl
111.19.172.IN-ADDR. ARPA. in ns dns.encle.com.
37 in ptr dns.encle.com.
40 in ptr www.encle.com.
42 in ptr test.encle.com.
------------------------------------------
D)/etc/named. local
# Vi/etc/named. local
------------------------------------------
$ ORIGIN 0.0.127.IN-ADDR. ARPA.
$ TTL 1d
0.0.127.IN-ADDR. ARPA. in soa dns.encle.com. wangnc.gmail.com .(
20080201; version number
3 h; refresh
1 h; retry
1 w; expire
1d); ttl
0.0.127.IN-ADDR. ARPA. in ns dns.encle.com.
1 in ptr localhost.encle.com.
------------------------------------------
5. Check the configuration file.
#/Usr/local/sbin/named-checkconf/etc/named. conf
#/Usr/local/sbin/named-checkzone encle.com/etc/named/encle. zone
6. Enable the in. named service process on the primary DNS server.
#/Usr/local/sbin/named or #/usr/local/sbin/named-c/etc/named. conf (for named. conf is not placed in the default position/etc)
View the enabled process:
# Ps-ef | grep named | grep-v grep
Test whether rndc is successful:
#/Usr/local/sbin/rndc status
Number of zones: 14
Debug level: 0
Xfers running: 0
Xfers deferred: 0
Soa queries in progress: 0
Query logging is OFF
Recursive client: 0/0/1000
Tcp clients: 0/100
Server is up and running
Indicates that rndc has successfully controlled Bind9. If the above information is not displayed, check whether the key in/usr/local/etc/named. conf is configured in your/usr/local/etc/rndc. conf file.
Check whether error log information exists:
# Tail-f/var/adm/messages
Jan 30 14:26:54 fsdb37 named [15667]: [ID 873579 daemon. notice] starting BIND 9.4.2
Jan 30 14:26:54 fsdb37 named [15667]: [ID 873579 daemon. error] binding TCP socket: address in use
Jan 30 14:26:54 fsdb37 last message repeated 1 time
Jan 30 14:26:54 fsdb37 named [15667]: [ID 873579 daemon. notice] command channel listening on 127.0.0.1 #953
Jan 30 14:26:54 fsdb37 named [15667]: [ID 873579 daemon. notice] running
Note:
In solaris8 & 9, bind is pre-installed, the directory is in/usr/sbin, the program is in. named, and its own nslookup and other programs are available. You can check its version:
#/Usr/sbin/in. named-v
In. named BIND 8.2.4 Fri May 19 04:41:53 PDT 2006
Generic Patch-5.8-May 2006
In addition, the in. named startup definition is available in/etc/rc2.d/S72inetsvc: only the named. conf file is available in/etc, and the in. named is started when the system starts.
------------------------------------------
...
If [-f/usr/sbin/in. named-a-f/etc/named. conf]; then
Echo 'starting internet domain name server .'
/Usr/sbin/in. named &
Fi
...
------------------------------------------
When we install our own bind, the named. conf file is usually put under/etc by default! This causes us to configure our bind. When we start the server, the solaris pre-installed bind will start. When we start our bind, the error will be reported: port 53 is occupied. The solution is to modify/etc/rc2.d/S72inetsvc, comment out all the relevant in. named, and add our named. In this way, our dns will automatically run when the system starts.
In addition, the system comes with an nslookup under/usr/sbin/, and the nslookup after Bind9 is installed under/usr/local/bin. In this way, we have two nslookup instances in our system. In the PATH variable of the environment variable,/usr/sbin is generally ranked first, and must be before/usr/local/bin. This causes the earlier nslookup version to run when we type nslookup. In this way, we may get an error message. The solution is to overwrite the old nslookup file, or adjust the environment variable and put/usr/local/bin at the beginning.